Translated IPF HOWTO, translation, this bird version of Howto previously printed a while, IPF is really much better than IPFW, let's take a look at the rules below, very good completion Enter the task of the server, vertical thumb. But do NAT, or use IPFW, simple enough
Let's show the rules of IPF of my WWW server.
Unixer @ www2 $ cat /etc/ipf.rules
#### block scaner ####
Block in log Quick All with short
Block in log quick all with ipopts
Block in log quick all with frag
Block in log quick all with opt lsrr
Block in log quick all with opt ssrr
#### send Rst to Scaner Like Blackhole #####
#Block Return-Rst in log on fxp0 proto tcp from any to any flags s / sa
#Block Return-ICMP (Net-Unr) in log on fxp0 proto udp from any to any
Pass Out Quick ON fxp0 proto tcp from any to any Keep State
Block Out Log Quick on FXP0 ALL
Pass in quick on fxp0 proto tcp from any to any port = 80 flags s / sa keep state
Pass in quick on fxp0 proto tcp from any to any port = 1024 flags s / sa keep stat
Block in Quick ON FXP0 All
Below is the article I reprinted
Xiaojl
Brendan conoBoy
Erik Fichtner
$ Freebsd: src / share / examples / ipfilter / ipf-howto.txt, v 1.1.2.1 2002/04/27 20:04:18 Darrenr EXP $
Summary: This document introduces the IP Filter firewall software to beginners, and introduces some basic methods of designing firewalls.
1.1 declaration
The author is not responsible for the destruction caused by this document, the document only introduces a firewall based on IPFilter. If you think that the action you take is not appropriate, you should stop reading the document, please have a qualified security expert to install a firewall for you.
1.2 copyright
This document is copyrighted by each author unless otherwise. Some or all documents can be copied and re-released in various media, as long as you save the copyright statement in all copies. Any business nature publishing should notify the author of the document.
All translation documents and other derivative documents should retain copyright statements.
1.3 Where can I get an important document?
IPF official website:
http://coombs.anu.edu.au/~avalon/ip-filter.html
The latest version of the document can be found here:
http://www.obfuscation.org/ipf/
2. Basic firewall
This part will make you have a general understanding of the syntax and firewall principle of IPFilter. The firewall features discussed here can be found in any good firewall software. This part will make you easier to read and understand the advanced parts of the following. It must be mentioned that this part is not enough to build a good firewall if you want to create an efficient security system you should read the advanced part.
2.1 Structure, order and priority
IPF has a configuration file (or some running command). This file follows the Unix style: each row of rules, "#" means comments, excess spaces will be ignored, we encourage the readability of the rule file. 2.2 Basic rules processing
Each rule is in order from top to bottom. This means that if your configuration file is like this:
Block in all
Pass in all
Computers will depend on it
Block in all
Pass in all
That is, when there is a package, the first rule works:
Block in all
Next IPF will pass the package to the next rule, and the second rule will work:
Pass in all
At this time, you may ask IPF to execute the second rule? If you are familiar with IPFWADM or IPFW, you may not ask this question. Maybe you will be confused about the walrow of the package, and many packages filtering software will not match one rule, but IPF does not belong to this type.
Unlike other package filters, IPF will make a tag for each package, whether this package is passed or not. IPF will traverse the entire rule set, unless you interrupt its traversal, then IPF decide to pass or abandon this package according to the last rule. When a package enters an interface (such as RL0, TUN0), IPF starts working, he checks this package first, then check the first rule:
Block in all
IPF said: "I should stop this package now." It also look at the second rule:
Pass in all
"I should pass this package now." It also look at the third rule, there is no third rule, so this package passes this package forward according to the last rule.
It should now be pointed out that even your rule is like this:
Block in all
Block in all
Block in all
Block in all
Pass in all
This package is still passed. The rules have not been accumulated. The last matching rules are always preferred.
2.3 Execution of the control rules
If you have experience in using other package filters, you may find that this design is confusing, you will feel that there will be some problems with this matching speed. Imagine if you have 100 rules, and the most useful is the top 10, each package is a terrible overhead through this 100 rules. Fortunately, you can add a keyword to any rule, as long as this rule is matched, this rule will work immediately without going to the last rule. This keyword is Quick. This is a modified rule set, joined Quick:
Block in Quick All
Pass in all
In this case, IPF checks the first rule:
Block in Quick All
Match this rule and end. This package is abandoned, there is no prompt, record. So what about the next rule?
Pass in all
This rule will never be checked, just like not in the configuration file. ALL is very broad and Quick will work on the back rules.
Here IPF is like blocking the package as it is configured, IPF can also make some packages, we can change the rule group slightly.
2.4 Filter based on IP address
IPF can filter packets in many ways, one of our most familiarity is an IP address, some IP address space we are absolutely will not communicate with it, (suppose) one of them is not routing network, 192.168.0.0 / 16 / 16 is a subnet mask, IPF can also use 255.255.0.0). If you want to stop 192.168.0.0/16, you can do this:
Block in Quick from 192.168.0.0/16 to anypass in all
Now we have a less stringent rule set, which can do something for us. When a package from 1.2.3.4 comes in, query the first rule:
Block in Quick from 192.168.0.0/16 to any
This package is not from 192.168. *. *, So does not match. Query the second rules:
Pass in all
This package matches, this package is transmitted to its destination.
On the other hand, suppose we have a package from 192.168.1.2, the first rule is performed:
Block in Quick from 192.168.0.0/16 to any
Matching, the package is discarded, end (not executing the next rule), because the first rule contains the Quick keyword.
Now you can pass or block a wide range of addresses from the packets, we prevent the private address of our firewall in the examples, let us see other rules:
Block in Quick from 192.168.0.0/16 to any
Block in Quick from 172.16.0.0.0.0/12 to any
Block in Quick from 10.0.0.0.0/8 to any
Pass in all
The previous 3 IP address belongs to the private IP address space.
2.5 Control Interface
Many companies have internal networks before they enter the external network. In fact, the first place to use the firewall is here, the machine connected to the external network and the internal to the router is the router, which is different from other machines that it has multiple interfaces. All you have received and all your packages have passed through the network interface. Suppose you have 3 interfaces, Lo0 (Lo0 (3Com Ethernet), Tun0 (interface in FreeBSD), you don't need packets to enter your tun0 interface.
Block in Quick on Tun0 All
Pass in all
Here, the keyword "ON" describes the data for the TUN0 interface. When a package enters TUN0, the first rule matches and discards this package, when a packet enters the LO0 or XL0, the first rule does not match, the second rule matches, the data is passed.
2.6 Joint IP Address and Interface
The more rule standards (such as IP, port, interface), the more rigorous firewalls, maybe you need to transfer data through TUN0, but do not want to pass packets from 192.168.0.0/16. The following rules are the beginning of a firewall:
Block in quick on tun0 from 192.168.0.0/16 to any
Pass in all
Based on the rules, we use tun0 to block packets from the TUN0 interface, when a packet from 192.168.0.0.0/16 reaches XL0, which will pass. Now we can build a firewall that blocks or allows a wide range of addresses in accordance with the interface:
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0.0.04 to anyblock in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Pass in all
You have learned that the first 3 address address space, the fourth block is the loop address (wasting a large block A network address), many software communicates with the unit through 127.0.0.1, so the source address should be the data of the external address. package. The fifth address is 0.0.0.0.0/8, there should be no in the Internet, most of the IP stacks apply 0.0.0.0/32 as the default gateway, other 0. *. *. *, Different systems have different strange strange Treatment method. 169.254.0.0/16 Allocated by IANA to those machines that are not available through the DHCP as automatic IP addresses. In particular, the Windows operating system often uses this IP address segment, and when they get IP addresses through DHCP, but they have failed to find DHCP servers. 192.0.2.0/24 is the IP address segment used by the author, and it is also a reserved address. 20.20.20.4/24, 204.152.64.0/23 is the IP address reserved by Sun, and whether it will prevent yourself from deciding. 224.0.0.0/3 is mainly used for multicast addresses, almost included D-class, E-class addresses, and other D-class addresses can look up RFC1166.
There is a very important principle that has been filtered, which is the passage of the private address, unless you are confident that there is a private address to communicate), when you know the source address of some type of data, you should build only allowable from this The data of the address is passed. For example, the non-route address is 10.0.0.0/8 packets should not reach Tun0, because you can't reply this packet, this is an illegal packet, 127.0.0/8 is also Types of.
Many software authenticates according to the original address of the packet, when you have an internal network 20.20.20.0/24, only internal data exchange, but there is a packet to leave the internal network, such as a source address is 20.20.20.0/24 Want to dial by PPP, this time you have reason to discard it, this type of packet should not reach its destination address, you can simply use IPF to implement. Rules are like this:
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Block in Quick on Tun0 from 20.20.20.0/24 to any
Pass in all
2.7 Bidirectional filter, keyword "out"
To now we have passed or blocked the packets of the firewall, it must be stated that the incoming packet reaches any of the firewalls. On the contrary, the packet out of the packet leaves any of the interfaces of the firewall (whether the local birth is still only through the firewall data package), that is, we can filter into the firewall's packets can also filter the packet of the firewall. Now we know that you can filter off the packet like filtering into the packet, one of us can think of is to prevent the camouflage packets from leaving our own network. If some other machines want to pass the IPF route a destination address is 192.168.0.0/16 packets, why don't we abandon it? The worst situation is just a waste of some bandwidth:
Block Out Quick on Tun0 from any to 192.168.0.0/16
Block Out Quick on Tun0 from any to 172.16.0.0/12
Block Out Quick on Tun0 from any to 10.0.0.0.0/8
Block Out Quick On Tun0 from any to 0.0.0.0/8
Block Out Quick on Tun0 from any to 127.0.0.0.0/8
Block Out Quick on Tun0 from any to 169.254.0.0/16
Block Out Quick on Tun0 from any to 192.2.2.0/24
Block Out Quick on Tun0 from any to 204.152.64.0/23
Block Out Quick on Tun0 from any to 224.0.0.0.0/3
Block Out Quick ON Tun0 from! 20.20.20.0/24 to any
The most reluctant point is that doing do not improve your security, but it can improve the security of others, and it is best to do this. Another point is because no one you can send a camouflage packet from your site, you are smaller by the target of CRACKERS. You will find a lot of access to the packet from leaving the firewall. There is a one you have to remember, that is, whether it is coming in or out of packets, it is relative to your firewall, not other machines.
2.8 Record, shutdown word "log"
All packets now are quietly passed or blocked, usually you want to know if you are attacked, but I don't want to record all the packets, and I want to know that I have been blocked from 20.20.0.0/24 data. The case of the package. In order to achieve this, I join the keyword log
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Block in log quick on tun0 from 20.20.20.0/24 to any
Pass in all
Now, our firewall can prevent data packets from unidentified address, but we have a lot of things to do, the first thing we have to do is to abandon 20.20.20.0/32 and 20.20.20.255/32 Packets to prevent smurf attacks (About SMURF attacks): block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Block in log quick on tun0 from 20.20.20.0/24 to any
Block in log quick on tun0 from any to 20.20.20.20.0/32
Block in log quick on tun0 from any to 20.20.20.20.255/32
Pass in all
2.9 Bidirectional filtering based on the interface
If you want to build a firewall rule group, you should consider each interface in each direction. The default status of IPFilter is through all packets, we should not rely on the default rules, you should consider every detail, each interface, until all the cases are included.
First we start from LO0, this interface is a communication between the procedures in this system, allowing it to pass:
Pass Out Quick on LO0
Pass in Quick on LO0
Then XL0, after we will strictly limit it, here we assume that our local network can trust, like LO0:
Pass Out Quick on XL0
Pass in Quick on XL0
Finally, TUN0, we have restricted TUN0, as follows:
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Block in log quick on tun0 from 20.20.20.0/24 to any
Block in log quick on tun0 from any to 20.20.20.20.0/32
Block in log quick on tun0 from any to 20.20.20.20.255/32pass in all
This is a very effective filtering rule to prevent 20.20.20.0/24 from being disguised. The following example will consider only one direction for easy access, and should consider each direction, each interface.
2.10 Control Protocol; Keyword "Proto"
Dewing service attack is as embarrassing, many DOS attacks use the operating system TCP / IP stack, which is usually used using ICMP packages. Why don't we stop all ICMPs?
Block in log quick on tun0 proto icmp from any to any
How many ICMP packages will be recorded and discarded from TUN0.
2.11 Filter ICMP with ICMP-TYPE keyword
Of course abandon all ICMP is not a good idea because it is still useful in some respects. Maybe you want to abandon those useless ICMP types. If you want ping and traceroute to work properly, you should let ICMP Types 0 and 11 pass. Strictly speaking, doing so doing so, weighing security and convenience, IPF can do this:
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 0
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 11
Remember that the order of the rules is very important. If we join the keyword "Quick" We must arrange the order of the rules before the Block
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 0
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 11
Block in log quick on tun0 proto icmp from any to any
Part of these three rules is added to the above to prevent spoofing. If we put these three rules in the forefront will have some problems
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 0
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 11
Block in log quick on tun0 proto icmp from any to any
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Block in log quick on tun0 from 20.20.20.0/24 to any
Block in log quick on tun0 from any to 20.20.20.0/32block in log quick on tun0 from any to 20.20.20.255/32
Pass in all
This problem is from 192.168.0.0/16 ICMP Type 0 packets according to the first rule, and the fourth rule will not work. The same ICMP will also pass and reach 20.20.20.0/24, which will open the latter door to the malicious Smurf attack, and the last two rules do not work. In order to avoid this situation, we put the ICMP rules behind the rules that prevent deception:
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to tun0 any
Block in log quick on tun0 from 20.20.20.0/24 to any
Block in log quick on tun0 from any to 20.20.20.20.0/32
Block in log quick on tun0 from any to 20.20.20.20.255/32
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 0
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 11
Block in log quick on tun0 proto icmp from any to any
Pass in all
Because we have prevented camouflage packets before ICMP, a camouflaged packet will not reach ICMP rules. This is important to remember the order of the rules.
2.12 TCP, UDP port; keyword "port"
We have filtered packets based on the protocol, and we can also filter it based on specific aspects of the protocol. The most useful aspect is the port number, RSH, RLogin, Telnet service is usually very useful, but because network sniffing and spoof attacks, these services implicit this unsafe factor, a very important compromise method is only internally Online service, prevent access to external networks. This is easy to do because RSH, RLOGIN, TELNET uses a dedicated port number (514, 513, 23). Easy to establish rules:
Block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 513
Block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 514
Block in log quick on tun0 proto tcp from any to 20.20.20.0.0/24 port = 23 These three rules must be accepted with external network (in order to easily prevent spoof rules)
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 0
Pass in quick on tun0 proto icmp from any to 20.20.20.0/24 ICMP-TYPE 11
Block in log quick on tun0 proto icmp from any to any
Block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 513
Block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 514
Block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 23
Pass in all
You may want to stop 514 / UDP (Syslog), 111 / TCP & 111 / UDP (Portmap), 515 / TCP (LPD), 2049 / TCP & UDP (NFS), 6000 / TCP (X11), and the like. You can get a complete system that is listening to port lists, netstat -a (or lsof -i if you have already installed).
If you want to block UDP, just change the TCP to UDP, below is for Syslog
Block in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 514
IPF has a simple method for simultaneously handling TCP and UDP, for Portmap:
Block in log quick on tun0 proto tcp / udp from any to 20.20.20.0/24 port = 111
3. Senior firewall introduction
This part of the document is closely related to the previous basic document, not only contains the concept of the senior firewall, but also contains some ipfilter features, once you are familiar with this part, you will be able to build a very robust firewall.
3.1 Mandarin: The rule of default refusal
Blocking services from ports There is a big problem: sometimes ports can be changed, RPC-based procedures Because port changes become bad, Lockd, Statd, and even NFSD listening ports are not 2049. This situation is very difficult, worse, is unlikely to always adapt to this change. We now build a new firewall rule, the first rules we will use are:
Block in all
All datagrams cannot be passed. There is nothing to use but it is safe. Suppose your server only runs a web service, no other. Even if there is no DNS query, only open 80 ports, we can join another rule to achieve:
Block in Tun0 All
Pass in Quick on Tun0 Proto TCP from any to 20.20.20.1/32 port = 80
The second rule will pass the data packet of the connection 20.20.20.1 port 80, and other packets cannot be passed. As a basic firewall, this is enough.
3.2 Status Rules
The role of the firewall is to block the data packets from A to B, assuming that we have such a rule: as long as it is a packet that arrives at the port 23 can pass. Similarly, as long as a packet has a FIN flag, we can pass, the firewall above the above does not know the start segment, an intermediate section, and end segment of the TCP / UDP / ICMP session. It is just a rule for all packets. We want to reach the port 23 packets are not stolen, change, that is, we hope to have a normal TCP / UDP / ICMP packet with port scan or DOS attack distinguished. This method is the Keeping State. We want to do both convenient and safe, many people have done this, like Ciscos has an ESTABLISHED Terms, which allows the connected TCP packets to pass. IPFW also has ESTABLISHED, IPFWADM has Setup / Established (Translator Note: The flags for establishing the connection flag / have established a logo), they all have this feature, but their names are easy to mislead. When we see it for the first time, we will think that our packing filter will track a packet to do what you want to do, the filter will know if a connection has been established. In fact, they all determine if a packet is to do, but the UDP / ICMP is not used to determine the flag bit, but UDP / ICMP is not used to implement this feature. If this is the case, anyone can fake these marker and make a packet through the firewall.
How is IPF handled on these issues? IPF is unlike other firewalls, it can truly track each packet and determine if a connection has been established. And IPF can handle TCP, UDP, ICMP, not just TCP. IPF is called Keep State, the keyword of the rule is Keep State.
Now you already know that the firewall checks each entering packet, check the packets per left. In fact, the status table checks each access or departing packet. The status table is a TCP / UPD / ICMP session (connection) table that can pass through the firewall rules. This will not be a serious security vulnerability, in fact this is the best in the firewall.
All TCP / IP sessions have started, middle and end (although sometimes these three stages are in the same package), only end phases without intermediate stages, or only intermediate stages without start-up sessions (normal session ) Is impossible. That is to say, what you have to do is to filter the beginning of the TCP / UDP / ICMP session. If the start phase of a session is allowed, then its intermediate stage and end phases can also pass (unless IP stack overflow or machine machine). Keeping State allows you to ignore the middle stage and end phases, but only focus on block or pass a new session. If a new session is passed, all of its subsequent packets are allowed to pass. This is an example of running SSH services (just ssh):
Block Out Quick on Tun0 All
Pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 22 Keep State
You will notice that there is no Pass Out rule. Despite this, this rule is complete. This is the Keeping State. Once a packet containing the SYN (initial phase) reaches the SSH server, the session state is established and saved (the translator Note: This packet can be free to enter and exit). This is another example:
Block in Quick on Tun0 All
Pass Out Quick On Tun0 Proto TCP from 20.20.20.1/32 to any KEEP State
In this case, the server does not run service. In fact, this is not a server, but a client. And this client does not want to enter the IP stack without an authenticated package. However, the client needs to access the Internet while the reply package is passed. This simple rule creates a status table for each outward TCP connection. When this status table is established, this TCP session will be unimpeded, and there is no inspection of the firewall rule set (the translator's note: Check by the status table). UDP and ICMP are also applicable: block in Quick on Tun0 All
Pass Out Quick On Tun0 Proto TCP from 20.20.20.1/32 to any KEEP State
Pass Out Quick On Tun0 Proto Udp from 20.20.20.1/32 to any key keep state
Pass Out Quick On Tun0 Proto ICMP from 20.20.20.1/32 to any Keep State
This will use ping, we have established a connection status for TCP, UDP, ICMP (Translator Note: Strictly speaking UDP, ICMP session does not establish a connection status, just the firewall saves the connection status). Now we can connect out, attackers can't access it. This is very convenient, because we don't have to track which ports are listening, but just track those ports we want others to connect.
State is very convenient, but some opportunity is needed. In some strange and confused usage, you may "move the stone to your own feet". Consider the following rules:
Pass in Quick on Tun0 Proto TCP from any to 20.20.20.1/32 port = 23
Pass Out Quick on Tun0 Proto TCP from Any To Any Keep State
Block in Quick All
Block Out Quick All
This looks like a good firewall rule, we allow access and connect 23 ports through the firewall, and all external connections are allowed. Undoubtedly, all the packets of all connect ports 23 will receive a reply, the firewall Pass Out rule will establish a status record, all things will be perfect, at least we think so.
Unfortunately, this status record will be closed (not 5 days) after 60 seconds, this is because this status record can't see the SYN packet of the connection port 23, it only sees SYN ACK (SYN Reply). The IPF is well suited to track the TCP connection from the beginning to the end, but it is not good at tracking the intermediate of the connection, so it should be rewritten like this to rewrite the firewall rules:
Pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 Keep State
Pass Out Quick on Tun0 Proto TCP from Any To Any Keep State
Block in Quick All
Block Out Quick All
The rules of the new addition will establish a status record for each SYN packet, and work is good as we expect. Once the status engine discovers a connection 3 times, this connection will be completed. For 4/4 mode, this mode means a long-time data exchange has been established until this connection is removed (IPFstat -s can see the connection mode).
3.3 State UDP
UDP is a stateless protocol, so it has a great difficulty to establish a reliable status connection, despite this, IPF is pretty good in this regard. When the machine A sends a UDP package, the source port is x, the destination port is Y, the IPF will allow the source Y to the machine X source port Y, the destination port is the reply package of X. This is a short-term status record, just 60 seconds. This is an example, querying the IP address of www.3com.com with nslookup:
$ nslookup www.3com.com
A DNS package is generated:
17: 54: 25.499852 20.20.20.1.211> 198.41.0.5.53: 51979
This package is from 20.20.20.1 ports 2111 to 192.41.0.5 port 53. A 60-second status record is created. In 60 seconds, from 192.41.0.5 ports 53 to 20.20.20.1 port 2111 package will pass, just like you see:
17: 54: 25.501209 198.41.0.5.53> 20.20.20.1.2111: 51979 Q: www.3com.com
The reply package meets the status record, allows the pass, the reply package is passed, and the status record is turned off, not allowing new packets to enter, even if this package comes from the same place.
3.4 There is a stateful ICMP
IPFilter is like processing TCP, and UDP is processed like the ICMP status, just like you understand. ICMP has two main types of information: requests and reply. Suppose we wrote such a rule:
Pass Out on tun0 proto icmp from any to any iCMP-TYPE 8 Keep State
Allows to send a reply request (typical ping) outward, the result is the package reply to ICMP-TYPE 0 and pass. This status record is an incomplete 0/0 (compared to 4/4) state, which will be deleted after 60 seconds. This will save the status for each outgoing ICMP package, you will get a reply of each ICMP.
However, most of the ICMP messages are generated by the wrong UDP (sometimes TCP) packets, and error ICMP messages (timeout or ports are not arrogant) in the 3.4.x IPFilter will record according to the UDP (sometimes TCP) status record. Through the firewall. In the old ipfilter, if you want Traceroute to work properly, you need this:
Pass Out on tun0 proto udp from any to any port 33434> <33690 Keep State
Pass in tun0 proto icmp from any to any iCMP-TYPE TIMEX
And now you only need to save the status for the UDP:
Pass Out on tun0 proto udp from any to any port 33434> <33690 Keep State
Block in Quick on Tun0 All
Pass Out Quick On Tun0 Proto TCP from 20.20.20.1/32 to any KEEP State
In order to prevent third-party ICMP messages from entering your firewall through a activity connection, the firewall not only performs the source address and destination address of the entry ICMP message (sometimes including ports, if available), the load in the ICMP message (generated Part of the package of the ICMP message is checked.
3.5 FIN Scan Detection; Keyword Flags, Keep Frags
First review 4 rules above
Pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 Keep State
Pass Out Quick On Tun0 Proto TCP from Any To Any Keep StateBlock in Quick All
Block Out Quick All
These rules are not satisfactory, the problem is that not only the SYN package is allowed to reach 23 ports but also allow old packets to pass. We can change the above rules with keyword flags:
Pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 Flags s Keep State
Pass Out Quick On Tun0 Proto Tcp from any to any flags s keep stat
Block in Quick All
Block Out Quick All
Only the destination address is now 20.20.20.1, the destination port 23 can pass the TCP package with the SYN flag. The SYN logo exists only in the first packet of the TCP session (called TCP for the first time to shake hands), which is what we hope, doing at least two benefits: First, all packs can enter firewall and put you The state table is messy. Second, FIN and XMAS scans will not pass because their logo is not SYN. Now the packet now is either the SYN package or the packet has been established. If other packets are entered, it is probably a port scan or forged packet, but it may be a fragmentation. IPF can handle sharpening with keyword Keep Frags. Plus this keyword, IPF will track those shards, allowing the shards we need to pass. We rewrite the rules, allow fragmentation and record the camouflage package:
Pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 Flags S Keep State Keep Frags
Pass out quick on tun0 proto tcp from any to any key keep state flags s keep frags
Block in log quick all
Block Out log quick all
These rules will work because all packages have passed before block. But you can't find SYN scan, if you feel unhappy, you can record all SYN packages.
3.6 Responding to the preceded packet
Now we blocked by us are discarded, or records, we did not send any response to the source host. Sometimes this is not the best way, because if this is equal to telling an attacker, we have a pack filter. It is best to be able to mislead attacker believes that we don't have a filter and there is no service to attack.
When a service is running on a UNIX system, it usually makes the remote host know by reply. Reply by the RST package in the TCP. When a TCP is blocked, the IPF is actually returned to an RST to the source host (with keyword return-rst). Now we can do this
Block Return-Rst in log proto tcp from any to 20.20.20.0/24 port = 23
Block in log quick on tun0
Pass in all
Return-RST is only available for TCP, we also want to use UDP, ICMP, and other protocols (hereinafter described), now the remote host will get the Connection Refused instead of the connection timed out.
When someone sends a packet to a UDP port of your system, the firewall may also send an error message. As long as your rule is like this:
Block in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 111
You can use the rules that join the Return-ICMP keyword to replace the above rules to send a reply block return-icmp (port-unr) in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 111
According to the TCP / IP specification, a packet is sent to a port of the server, and the server will issue port-unreachable when the server is listening to this port. Of course, you can use other ICMP types, but Port-Unreachable may be best. This is also the default ICMP type used to reply.
However, when you use Return-ICMP, you will find that it is not very secure because the ICMP package contains the IP address of the firewall, not the destination address of the original packet. This problem has been resolved in the version after IPfilter3.3, and a new keyword return-ICMP-As-Dest has been added. This is a new rule:
Block Return-ICMP-As-Dest (Port-Unr) in log on tun0 proto udp from any to 20.20.20.0/24 port = 111
In addition, you have to use it with a reply package, and you can use it when you know what data you want to reply. For example: If you send Return-ICMP to the broadcast address of the LAN, the LAN will be submerged in a short period of time.
3.7 log
If you want to use the log device DEV / IPL, remember to join the keyword log. In order to see the log information, you must run IPMON (or other read / dev / iPl software). Generally written to Syslog using IPMON -S. Take ipfilter3.3 as an example, you can even control the behavior of Syslog records through keyword log level:
Block in log level auth.info quick on tun0 from 20.20.20.0/24 to any
Block in log level auth.alert Quick On Tun0 Proto TCP from any to 20.20.20.0.0/24 port = 21
In addition, you can also crop the recorded information, such as you are interested in someone to scan your Telnet, but how many times is it to scan your Telnet port, you can log first keywords to record the first package .
Another use of logs is to track the package you interested, and record its head field. Ipfilter uses the keyword log body to record the first 128 bytes of each package. You should limit using the Body Log because it will make your log lengthy.
3.8 Merge All Rules
Now we have a very rigorous firewall, but it can be more rigorous. It is actually very useful for the rule set we have removed to prevent deception. It is recommended to add it:
Block in tun0
Block in quick on tun0 from 192.168.0.0/16 to any
Block in quick on tun0 from 172.16.0.0/12 to any
Block in quick on tun0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick on Tun0 from 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 to any
Block in quick on tun0 from 169.254.0.0.0/16 to any
Block in quick on tun0 from 192.0.2.0/24 to any
Block in quick on tun0 from 204.152.64.0/23 to any
Block in Quick on Tun0 from 224.0.0.0.20.0/24 to any iNY
Block in log quick on tun0 from any to 20.20.20.20.0/32
Block in log quick on tun0 from any to 20.20.20.20.255/32
Pass Out Quick On Tun0 Proto TCP / UDP from 20.20.20.1/32 to any Keep State
Pass Out Quick On Tun0 Proto ICMP from 20.20.20.1/32 to any Keep State
Pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 80 Flags S Keep State
3.9 Optimizing the firewall with rule group
Let us expand our firewall, making our firewall more useful, as an example we will change the interface name XL0, XL1, XL2.
XL0 offline 20.20.20.0/26
XL1 is used for agency 20.20.20.64/26
XL2 connection with firewall protection network 20.20.20.128/25
Let's define the whole rule first, you should understand it clearly:
Block in Quick on XL0 from 192.168.0.0/16 to any
Block in Quick on XL0 from 172.16.0.0.0.0.0.0.0 to any
Block in Quick on XL0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1
Block in Quick On XL0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick On XL0 from 0.0.0.0/8 to any
Block in Quick On XL0 from 169.254.0.0/16 to any
Block in Quick on XL0 from 192.0.2.0/24 to any
Block in Quick on XL0 from 204.152.64.0/23 to any
block in quick on from 224.0.0.0/3 to xl0 any
Block in log Quick on XL0 from 20.20.20.0/24 to any
Block in log quick on xl0 from any to 20.20.20.20.0/32
Block in log quick on xl0 from any to 20.20.20.20.63/32
Block in log quick on xl0 from any to 20.20.20.20.64/32
Block in log quick on xl0 from any to 20.20.20.127/32
Block in log quick on xl0 from any to 20.20.20.128/32
Block in log quick on xl0 from any to 20.20.20.20.255/32
Pass Out on XL0 ALL
Pass Out Quick On XL1 Proto Tcp from any to 20.20.20.64/26 port = 80 flags s Keep State
Pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 Flags S Keep State
Pass Out Quick On XL1 Proto TCP from Any To 20.20.20.20.64/26 Port = 20 Flags S Keep StatePass Out Quick On XL1 Proto TCP from Any To 20.20.20.65/32 Port = 53 Flags S Keep State
Pass Out Quick On XL1 Proto UDP from any to 20.20.20.65/32 port = 53 Keep State
Pass Out Quick On XL1 Proto Tcp from any to 20.20.20.20.66/32 port = 53 Flags S Keep State
Pass Out Quick On XL1 Proto UDP from any to 20.20.20.66/32 port = 53 Keep State
Block Out on XL1 All
Pass in Quick On XL1 Proto TCP / UDP from 20.20.20.20.64/26 to any Keep State
Block Out on XL2 ALL
Pass in Quick On XL2 Proto TCP / UDP from 20.20.20.128/25 to any Keep State
From this example, we can see that my rule set becomes more and more bloated. If we add more rules, the situation will become more serious. The performance of communication between XL0 and XL2 is affected. If you establish such a firewall, you will waste a lot of bandwidth and CPU time, you can optimize the performance of the firewall by establishing a rule grouping to optimize the performance of the firewall. The rule group allows your rules to write a tree structure rather than a linear structure. The tree structure divides the original rules into different groups (such as interface, IP addresses), and each group has a group rule. When a package enters the firewall, check the group rules first, if not, skip The entire rule group, this looks like several firewalls on a machine.
Let's start with a simple example:
Block Out Quick On XL1 All Head 10
Pass Out Quick Proto TCP from any to 20.20.20.64/26 port = 80 flags s Keep State Group 10
Block Out on XL2 ALL
In this simple example, we can see the role of the rule group. When a packet's target interface is not XL1, do not match 10 sets of rule groups, and skip the 10th group. When the data packet is the target interface of the packet, the matching rule group 10 groups of other rules short circuit (depending on). Use this method to rewrite the above rules to improve the performance of the firewall.
Block in Quick on XL0 All Head 1
Block in Quick on XL0 from 192.168.0.0/16 to any group 1
Block in Quick on XL0 from 172.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0-12?
Block in Quick on XL0 from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0-
Block in Quick On XL0 from 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick On XL0 from 0.0.0.0/8 to any group 1
Block in Quick On XL0 from 169.254.0.0.0/16 to any group 1
Block in Quick On XL0 from 192.0.2.0/24 to any group 1
Block in Quick on XL0 from 204.152.64.0/23 to any group 1
Block in Quick On XL0 from 224.0.0.0.0.0.20.20.0.0.0.0.20.20.0/24 to any group 1
Block in log quick on xl0 from any to 20.20.20.0.0/32 group 1
Block in log quick on xl0 from any to 20.20.20.20.63/32 group 1
Block in log quick on xl0 from any to 20.20.20.20.64/32 group 1
Block in log quick on xl0 from any to 20.20.20.127/32 group 1
Block in log quick on xl0 from any to 20.20.20.128/32 group 1
Block in log quick on xl0 from any to 20.20.20.255/32 group 1
Pass in N xl0 all group 1
Pass Out on XL0 ALL
Block Out Quick On XL1 All Head 10
Pass Out Quick On Xl1 Proto TCP from any to 20.20.20.64/26 port = 80 flags s Keep State Group 10
Pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 Flags S Keep State Group 10
Pass Out Quick On XL1 Proto TCP from any to 20.20.20.64/26 port = 20 Flags S Keep State Group 10
Pass Out Quick On XL1 Proto TCP from any to 20.20.20.65/32 port = 53 Flags S Keep State Group 10
Pass Out Quick On XL1 Proto UDP from any to 20.20.20.65/32 port = 53 Keep State Group 10
Pass Out Quick On XL1 Proto Tcp from any to 20.20.20.20.66/32 port = 53 Flags S Keep State
Pass Out Quick On XL1 Proto UDP from any to 20.20.20.66/32 port = 53 Keep State Group 10
Pass in Quick On XL1 Proto TCP / UDP from 20.20.20.20.64/26 to any Keep State
Block Out on XL2 ALL
Pass in Quick On XL2 Proto TCP / UDP from 20.20.20.128/25 to any Keep State
Now you can see the rules set up. When the host of the XL2 network is not in communication with the XL0 network, the rule group 10 will be bypass, not being inspected by the rule group 10. In different cases, you can group based on the protocol or machine or network block.
3.10 Keyword FASTROUTE
Although we have forwarded some packets and block other packets, we look like a router, the firewall also reduces the value of the data package TTL (a jump minus) and tells the outside. We have received the packet. . But we can hide our existence in some applications (such as UNIX traceroute) without reducing the value of TTL. If we want to work properly, we don't want it to know the existence of the firewall, we can do this: Block in Quick on XL0 Fastroute Proto udp from any to any port 33434> <33465
Keyword FASTROUTE will tell IPFilter Do not let this package into UNIX IP stack because the IP stack entering UNIX will reduce the value of TTL. This data package is stolen from the firewall to the correct exit and does not reduce the value of TTL. Of course, IPFilter will indicate which interface from the system routing table.
In this example, we used the Block Quick for reason. If we use PASS, and we open IP forwarding in the kernel, we will have two exit paths of this packet, the kernel is likely to "I don't know what it is."
It should be noted that most UNIX kernel routing code is higher than IPFilter, so this keyword is not used to improve the performance of the firewall, but only to hide us.
4. Network address conversion and proxy
A largest application of the firewall is to make several machines can be connected to an external network through a public external interface. For those familiar with Linux, this concept is IP camouflage, and it has a more vague "Network Address Transformation" for others.
In fact, IPFilter can be referred to as NPAT, because IPFilter converts the address but also converts the port, but NAT simplifies the address.
4.1 Multiple addresses Convert to an address
Basic NAT can complete the function of Linux IP camouflage, which can do this:
Map tun0 192.168.1.0/24 -> 20.20.20.1/32
It is very simple, as long as the source address is in line with 192.168.1.0/24, its source address will be rewritten as 20.20.20.1 and the destination address will not change. The system converts the address to maintain a table, which can be converted to the correct address based on this table (20.20.20.1 into the intranet address).
The rules we have just wrote have a shortcoming: in most cases, we don't know the IP address (dynamic address) of our external network, but fortunately, NAT solves this problem, it can be replaced with 0/32, when it finds When the address is 0/32 it knows that the true address of the interface should be found.
Map tun0 192.168.1.0/24 -> 0/32
Now we can safely load the NAT rules, and you can connect to the external network without any modifications. What you need to do is just when your IP address changes, IPF -Y
You may think that when the address is converted, the port has changed. With our current rule source port, it will not change. In some cases, we hope that the port can also change, for example, when there is a firewall above your firewall, and we need to pass this firewall, or have many hosts. The same source port, this time there is a conflict, IPNAT can solve this problem with keyword portmap:
Map tun0 192.168.1.0/24 -> 0/32 portmap TCP / UDP 20000: 30000
Its practice is to plug all links into ports between 20000 and 30000.
4.2 Multiple Addresses to Address Pool
Nat Another Usage is to map a lot of static address mapping (address translation) to a smaller address space, using the knowledge you have learned to do: map tun0 192.168.0.0/16 -> 20.20.0.0/24 portmap TCP / udp 20000: 60000
Of course, some remote applications require multiple links from the same IP address (such as 192.168.0.31 to access 218.9.121.110, it is likely to come from different IP addresses after NAT), we can tell Nat static mapping each Link, with keyword MAP-Block implementation:
Map-block Tun0 192.168.1.0/24 -> 20.20.20.0/24
4.3 point-to-point mapping
BIMAP TUN0 192.168.1.1/32 -> 20.20.20.1/32
4.4 camouflage
Suppose we have a web server address is 20.20.20.5, we suspect that our network security has a problem, we don't want to serve on port 80 because it needs to run for a short period of time with root. How do we let the web server run at 8000 ports? How do the client access? We can use NAT's redirection to solve this problem, indicating all 20.20.20.5:80 access points to 20.20.20.5:8000, implemented with RDR keyword:
RDR TUN0 20.20.20.5.20.20.5 Port 8000
Of course, we can also specify an agreement if we want to redirect a UDP service instead of TCP (TCP is default). For example, if we have a "honeypot" imitation Windows back door, we can direct the entire network to this place:
Rdr Tun0 20.20.20.0/24 Port 31337 -> 127.0.0.1 Port 31337 UDP
RDR has a considerable place: you can't simply use the redirection into a "mirror". E.g:
RDR TUN0 20.20.20.5.20.20.6 Port 80 TCP
Will not work properly, because .5 and .6 are on the same local area network segment. First, a packet that reaches 20.20.20.5 interface TUN0 will be redirected to 20.20.20.6, that is, its destination address is modified, and then sent to IPF filtering rules for filtering (note the order, first address conversion Filtering), if it passes IPF, then it is sent to UNIX routing code, this time this packet destination address is changed, but its destination interface is TUN0, the system does not know what to do. Therefore, "mirror" is not working properly. Remember: When using RDR, the destination address must leave the firewall from different interfaces.
4.5 Transparent Agent
When you are building a firewall, you will think that you should use the agent, you can "tighten" your firewall rules to protect your internal network. Or you think your NAT is not working properly, you can use redirection:
RDR XL0 0.0.0.0.0 Port 21 -> 127.0.0.1 Port 21
This rule is that any packets of FTP have been redirected to 127.0.0.1
Some of the agents for FTP, because web browsers or other automatic login type clients do not know how to communicate with the agent. There is a patch is a SFTP-GW for TIS firewall, and NAT works with this patch to solve this problem. Many agent software is a transparent agent (such as Squid).
When you want to force your user to request verification to the proxy, keyword RDR is often useful. (For example, you want your engineers to surf the Internet, but do not want the call center employee online)
4.6 Application Agent FTP has two ways of working, if you want to make the FTP behind the firewall, you should use the application agent. We can let our firewall pay attention to each package of it, when it finds that it is processing the active FTP connection, it produces several temporary rules, just like Keep State, making FTP data transfer work. We need some rules:
Map tun0 192.168.1.0/24 -> 20.20.20.1/32 Proxy Port FTP FTP / TCP
Remember to write this rule in front of other mapping rules, otherwise other mapping rules work in this rule, remember that IPNAT is different from ipfilter, iPnat is the first match rule (just jump over as long as one of the other rules). In addition, the RCMD and RAUDIO proxy must also write in front of other rules.
5. Operate the filtering rules, IPF
IPF is used to load IPFilter rules. Rules files can be placed anywhere in the system, but generally in /etc/ipf.rules ,/usr/local/etc/ipf.rules ,/etc/opt/ipf/ipf.rules
IPFilter can have two sets of rules, event rules, and inactive rules. By default, all operations are based on active rules. You can use IPF -I to use inactive rules. These two rules can be converted with parameters -s. This is very useful, you don't have to clear the old rules when you test the new rules.
IPF plus parameters -R can delete rules in the list, but the compare method is to use parameter -f clear rules and then load the modified rules.
The easiest way to load rules is IPF -FA -F /ETC/IPF.Rules. Please refer to IPF's Man Page for other ways to get other operating rules.
6. Load NAT rules, ipnat
iPnat is used to load NAT rules. Rules files can be placed anywhere in the system, but it is usually placed in /etc/ipnat.rules/usr/local/etc/ipf/ipnat.Rules to load with IPNAT, or parameters -r Delete rule. However, it is generally emptying (parameter-C) and then loads, and the mapping-C-C is invalid, can be cleared with -f.
NAT rules and event mappings can be viewed by ipnat -l. The simplest method in NAT rules is ipnat -cf -f /etc/ipnat.rules.
7. Monitoring and debugging
You may want to know what the firewall is doing, and if Ipfilter does not have a status monitoring tool, it is not a complete firewall.
7.1 IPFSTAT Tools
The simplest use of IPFSTAT is to display a data sheet on the firewall execution, such as how many packages pass or abandon, whether they are recorded, and how many status bars, etc. You will see some of this data:
# ipfstat
Input packets: blocked 99286 passed 1255609 Nomatch 14686 Counted 0
Output packets: blocked 4200 passed 1284345 Nomatch 14687 Counted 0
Input Packets Logged: Blocked 99286 Passed 0
Output packets logged: blocked 0 passed 0
Packets logged: Input 0 Output 0
Log Failures: Input 3898 Output 0
Fragment State (in): Kept 0 Lost 0
Fragment State (OUT): Kept 0 Lost 0
Packet State (in): Kept 169364 Lost 0
Packet State (OUT): Kept 431395 Lost 0
ICMP REPLIES: 0 TCP RSTS SENT: 0Result Cache Hits (in): 1215208 (OUT): 1098963
In Pullups Succeeded: 2 Failed: 0
OUT PULLUPS SUCCEEDED: 0 failed: 0
FASTROUTE SUCCESS: 0 Failures: 0
TCP CKSUM FAILS (in): 0 (OUT): 0
Packet log flags set: (0)
None
IPFSTAT can also display your current list of rules. Which IN rules or OUT rules are displayed in parameter -i or -o, plus parameters-h to display more detailed information, including how many data packages each rule. E.g:
# ipfstat -ho
2451423 Pass Out on xl0 from any to any
354727 Block out on ppp0 from any to any
430918 Pass Out Quick on PPP0 Proto TCP / UDP from 20.20.20.0/24 to any Keep State Keep Frags
From here we can see which places may not normal, IPFSTAT can't tell you which rules are correct or wrong, it just tells you what happened because of your rules. In order to further debug rules, parameters can be used, this parameter shows the order of rules.
# ipfstat -on
@ 1 Pass Out on xl0 from any to any
@ 2 Block Out on PPP0 from Any To Any
@ 3 Pass Out Quick On PPP0 Proto TCP / UDP from 20.20.20.0/24 To any Keep State Keep Frags
The last use of IPFSTAT is to display some data on status records. This parameter is -s
# ipfstat -s
281458 TCP
319349 UDP
0 ICMP
19780145 Hits
5723648 Misses
0 Maximum
0 no memory
1 ACTIVE
319349 Expired
281419 Closed
100.100.100.1 -> 20.20.20.1 TTL 864000 Pass 20490 PR 6 State 4/4
PKTS 196 BYtes 17394 987 -> 22 585538471: 2213225493 16592: 16500
Pass in log quick keep state
Pkt_flags & b = 2, pkt_options & ffffffff = 0
PKT_Security & fff = 0, pkt_auth & fff = 0
From this we can see there is a TCP connection status. The content of the different versions of the output will be slightly different, but the basic information is the same. The status of this connection is 4/4, and other status is incomplete, we will introduce in detail later. The timeout time of the 4/4 state is 240 hours, it is a long period of time, but it is default the timeout time of the established TCP connection. When this state is idle, the value of the TTL is reduced per second, and finally timeout and deleted. When a connection status is re-enabled, its TTL value is restored to 864000, and it must be ensured that an active connection will not be timeout. We can also see 196 17K packets. There is also the port number of both ends, this example is 987 and 22. This means that this state represents a connection from 100.100.100.1 ports 987 to 20.20.20.1 port 22. The largest number of the second line is the TCP sequence number, ensuring that no one can easily inject the camouflaged packet in this connection. TCP's window is also displayed 7.2 ipmon
Ipfstat is useful to collect things happening on the system, but it is not convenient and promptly viewing logs. IPMON is a tool that enables the ability to view packet filtered logs (logs generated by keyword logs), status logs, or NAT logs, and logs that they are jointly generated by them. This tool can run at the front desk or run in the background (transfer the log to Syslogd or a file). If we want to see the current situation of the status table, you can run ipmon -o s
# ipmon -o s
01/08/1999 15: 58: 57.836053 State: New 100.100.100.1, 53 -> 20.20.20.15, 53 Pr UDP
01/08/1999 15: 58: 58.030815 State: New 20.20.20.15, 123 -> 128.167.1.69, 123 PR UDP
01/08/1999 15: 59: 18.032174 State: New 20.20.20.15, 123 -> 128.173.14.71 ,123 PR UDP
01/08/1999 15: 59: 24.570107 State: Expire 100.100.100.1,53 -> 20.20.20.15, 53 Pr UDP PKTS 4 bytes 356
01/08/1999 16: 03: 51.754867 State: New 20.20.20.13, 1019 -> 100.100.100.10, 22 PR TCP
01/08/1999 16: 04: 03.070127 State: EXPIRE 20.20.20.13, 1019 -> 100.100.100.10, 22 pr TCP PKTS 63 bytes 4604
We can see a status bar that has an external machine sends DNS requests to our DNSSever, two XNTP ping to the time server, a short outward SSH connection.
IPMON can also show which packets are recorded by the log. E.g
# ipmon -o i
15: 57: 33.803147 PPP0 @ 0: 2 B 100.100.100.103, 443 -> 20.20.20.10, 4923 Pr TCP LEN 20 1488 -A
Their meaning is the timestamp interface rule blocking source address, port -> destination address, port protocol TCP package length 20 1488 ACK
Finally, let's take a look at the NAT table.
# ipmon -o n
01/08/1999 05: 30: 02.466114 @ 2 Nat: RDR 20.20.20.253, 113 <-> 20.20.20.253, 113 [100.100.100.13, 45816]
01/08/1999 05: 30: 31.990037 @ 2 Nat: EXPIRE 20.20.20.253, 113 <- -> 20.20.20.253, 113 [100.100.100.13, 45816] PKTS 10 bytes 455 This is a redirected rule for use in The occasion of providing rules behind our firewall.
8. Ipfilter's special usage
8.1 Deep State Based on Server and Sign
Save the status is useful, but it is easy to make mistakes. Typically, you add Keep State in the rules that interact with the packet, and a universal error is mixing status tracking and logo-based filtration:
Block in all
Pass in Quick Proto TCP from any to 20.20.20.20/32 port = 23 flags s
Pass Out All Keep State
The purpose of these rules is to allow the client to connect to the server 20.20.20.20 for Telnet connection. If you are experimenting this rule, you will find it to work right away, because we are matching SY, the status bar is not possible 4/4 (incomplete state), this state default timeout is 60 seconds.
We can rewrite the rules to solve this problem:
1)
Block in all
Pass in Quick Proto TCP from any to 20.20.20.20/32 port = 23 Keep State
Block Out All
or
2)
Block in all
Pass in Quick Proto TCP from any to 20.20.20.20/32 port = 23 Flags S Keep State
Pass Out All Keep State
Any group of these two sets of rules can establish a complete state bar for each connection.
8.2 Solving FTP
FTP has two different transmission modes, and the firewall administrator has to solve these problems of FTP. Worse, the FTP client and server are different.
There are two data transfer modes, active and passive inside the FTP protocol. Active transmission is a server to connect to a client's open port and then pass data. Conversely, passive transmission is a client to initiate a connection and accept data to the server.
8.2.1 Run FTP Services
In running the FTP service, the connection to the active FTP is relatively simple. It is a big problem for the passive FTP. First we discussed how to handle the active FTP, then passive FTP. Usually active FTP is like an entry HTTP or SMTP connection: We can open the FTP port and Keep State is OK:
Pass in Quick Proto TCP from any to 20.20.20.20/32 port = 21 Flags S Keep State
Pass Out Proto TCP All Keep State
These two rules allow for active FTP connections, which is the most common type.
Here is to process passive FTP connections. Web browser is the default, it becomes more popular, so we must support it. The problem with passive FTP is for each passive connection, and the FTP server must reope with a new port (usually more than 1023 or more). This is like providing a new service on the server. If our firewall default strategy is disabled, then this new service will be blocked, and the FTP session is interrupted. But we have something else can solve this problem.
Maybe someone will open all 1023 ports to solve this problem. In fact, this method does solve the problem, although it is unsatisfactory:
Pass in Quick Proto Tcp from any to 20.20.20.20/32 port> 1023 Flags S Keep State
Pass Out Proto TCP All Keep State Opens all 1023 ports, we will face some potential dangers. Port 1-1023 is provided to the service process, numerous programs determine ports, such as NFSD and X, such as NFSD and X
Fortunately, the FTP service process can determine which port is assigned to the passive connection. This means you can only open 15001-19999 port as the port of FTP instead of opening all 1023 ports. In the wu-ftpd, the passive port can be specified in FTPAccess. Please refer to the manual of FTPAccess. Ipfilter needs to do just to establish a corresponding rule:
Pass in Quick Proto TCP from any to 20.20.20.20/32 port 15000> <2000 Flags S Keep State
Pass Out Proto TCP All Keep State
If this still can't be satisfied, you have to modify the IPF to support FTP or modify FTP to support IPF.
8.2.2 Run the FTP Customer
Although IPF is not perfect for FTP services, the support from 3.3.3 has been relatively perfect for FTP client software. Just like FTP services, FTP client applications also have two transmission modes: active and passive.
From the viewpoint of the firewall, the simplest transmission mode of FTP is passive mode. Suppose you have a passive transfer to the KEEP State, passive transmission. If you haven't done this, you can use the following rules:
Pass Out Proto TCP All Keep State
Active mode has a little trouble, active mode enables the server to open the second connection with the client for data exchange. There is a problem when there is a firewall between them. In order to solve this problem, IPFilter contains an IPNAT agent, which is temporarily opened on the firewall, making the FTP server to connect the client smoothly. Even you didn't use ipnat to do address translation, this agent is also effective. The following rules join the IPNAT configuration file (EP0 is an external network interface):
Map EP0 0/0 -> 0/32 Proxy Port 21 FTP / TCP
For details on IPFilter internal agents, please see 3.6
8.3 kernel parameters
Some core parameters are necessary for establishing IPF, and some let us easily understand the information of establishing a firewall. The main one is to open IP forwarding, otherwise IPF can't do anything, because IP stacks do not really routing packets.
IP forwarding:
OpenBSD:
Net.inet.ip.Forwarding = 1
FreeBSD:
Net.inet.ip.Forwarding = 1
NetBSD:
Net.inet.ip.Forwarding = 1
Solaris:
NDD -SET / DEV / IP IP_FORWARDING 1
Port adjustment:
OpenBSD:
Net.inet.ip.portfirst = 25000
FreeBSD:
Net.inet.ip.portRange.First = 25000 net.inet.ip.portRange.last = 49151
NetBSD:
Net.inet.ip.anonportmin = 25000 net.inet.ip.anonportmax = 49151
Solaris:
NDD -SET / DEV / TCP TCP_SMALLEST_ANON_PORT 25000
NDD -SET / DEV / TCP TCP_LARGEST_ANON_PORT 65535
Other useful parameters:
OpenBSD:
Net.inet.ip.sourceReroute = 0
Net.inet.ip.directed-Broadcast = 0OpenBSD:
Net.inet.ip.sourceReroute = 0
Net.inet.ip.directed-Broadcast = 0
FreeBSD:
Net.inet.ip.sourceReroute = 0
Net.ip.accept_sourceRoute = 0
NetBSD:
Net.inet.ip.allowsrcrt = 0
Net.inet.ip.forwsrcrt = 0
Net.inet.ip.directed-Broadcast = 0
Net.inet.ip.Redirect = 0
Solaris:
NDD -SET / DEV / IP IP_FORWARD_DIRECTED_BROADCASTS 0
NDD -SET / DEV / IP IP_FORWARD_SRC_ROUTED 0
NDD -SET / DEV / IP IP_RESPOND_TO_ECHO_BROADCAST 0
In addition, FreeBSD has some SYSCTL variables:
Net.inet.IPF.FR_Flags: 0
Net.inet.IPF.FR_Pass: 514
Net.inet.IPF.FR_Active: 0
Net.inet.IPF.FR_TCPIDletimeout: 864000
Net.inet.IPF.FR_tcpclosewait: 60
Net.inet.IPF.FR_tcplastack: 20
Net.inet.IPF.FR_TcPtimeout: 120
Net.inet.IPF.FR_tcpclosed: 1
Net.inet.IPF.FR_UDPTIMEOUT: 120
Net.inet.IPF.FR_ICMptimeout: 120
Net.inet.IPF.FR_DEFNATAGE: 1200
Net.inet.IPF.FR_IPFRTTL: 120
Net.inet.IPF.IPL_UNREACH: 13
Net.inet.IPF.IPL_INITED: 1
Net.inet.IPF.FR_AUTHSIZE: 32
Net.inet.IPF.FR_AUTHUSED: 0
Net.inet.IPF.FR_Defaultautauthage: 600
9. Interesting IPF
This part is not some new things to teach you IPF, but it may mention some things you have not considered, or to invent some of us we have not considered.
9.1 Internal Network Filtration
A long time ago, there was a TCP-WRAPPER package called Wietse Venema, which was used to protect web services, which is good, but TCP-WrapPers also have a shortcoming. First, just like it is said, it can only protect TCP services. In addition, you must use inetd to run the service, and you have to compile together with Libwrap, and the service process is linked to TCP-Wrapper to protect your service process. This system has left some huge security vulnerabilities, we can use IPF to block these vulnerabilities on this unit. For example, my computer needs frequent access to a non-reliable network, I can use the following rules:
Pass in Quick On LO0 All
Pass Out Quick On Lo0 All
Block in Log All
Block Out All
Pass in quick proto tcp from any to any port = 113 flags s keep stat
Pass in quick proto tcp from any to any port = 22 Flags S Keep State
Pass in quick proto tcp from any port = 20 to any port 39999> <45000 flags s Keep StatePass Out Quick Proto Icms from any to any Keep State
Pass Out Quick Proto TCP / UDP from Any To Any Keep State Keep Frags
This rule set is that your local network is very safe. If you want your firewall safer, you can use the FTP app agent, and you can join the rule set to prevent spoofing. If your machine has many users and you don't want them to launch a service that is not their service, this rule set is relatively appropriate. This rule set can't prevent Cracker with root privileges from modifying your IPF rules or launch a service process, which allows you to be safer in a complex local area, I think this is important. The rules that add local filtration in a rule set can usually solve many performance issues.
9.2 What is a firewall? Transparent filter
Building a firewall must ensure the integrity of the firewall itself. Can someone break through your firewall and change firewall rules? This is a problem that administrators must face.
Many network administrators are familiar with ordinary Ethernet bridges, which are used to connect two separate Ethernet to an Ethernet device. Usually used to connect two buildings, conversion network speeds, or extended network valid connection distances. The hub and exchanger are ordinary bridges, sometimes they have only two interfaces, we call repeaters. Now Linux, OpenBSD, NetBSD, FreeBSD can use a PC to be used by bridges. A common feature of the bridge is to connect two machines, and the two machines don't know the existence of bridges.
The Ethernet Bridge acts on the second layer of the ISO protocol stack, the IP stack acts on the third layer. IP filter mainly acts on the third layer, and also involves the second layer of network interface. OpenBSD's bridge equipment can establish an invisible firewall with IP filter. This system does not require an IP address, which does not even expose its Ethernet address (MAC) to make the delay of the packet slightly.
Establish such rules amazing simple. In OpenBSD, the first bridge device name is bridbe0. Suppose there are two network cards, XL0 and XL1 on our machine. In order to make this machine become a bridge, we have to do just three commands:
Brconfig Bridge0 Add XL0 Add XL1 UP
IFCONFIG XL0 UP
IFCONFIG XL1 UP
All packets arriving to XL0 are sent to XL1, all of which are delivered to XL1 is sent to XL0. You will notice that both network cards do not assign IP addresses, and there is no need. It is best not to assign an address.
Although there is a Bridge0 interface, we are not based on this interface, starting from a simple example, suppose our network is like this:
20.20.20.1 <--------------------------------> 20.20.20.0/24 network hub
There is a router on 20.20.20.1, all 20.20.20.0/24 outgoing packets are passed 20.20.20.1. Now we join an IPF bridge:
20.20.20.1 <------- / xl0 ipfbridge XL1 / -------> 20.20.20.0/24 network hub
We set such rules on the IPF bridge:
Pass in Quick ALL
Pass Out Quick All
The function of this network has not changed, and now we change the rules:
Block in Quick On XL0 Proto ICMP
Pass in Quick Allpass Out Quick ALL
20.20.20.1 and 20.20.20.0/24 still believe that the network has not changed, just if 20.20.20.1 ping 20.20.20.2, it will accept the response. In fact, 20.20.20.2 will not accept ping at all. IPFilter blocks this packet (ping) to reach the other end. We can set an IPF bridge from anywhere. This method can narrow a network to a host, as long as there is enough network card.
Blocking ICMP from the external network looks a bit stupid, especially if you are a system administrator, you want to ping the outside network, traceroute, or change the size of the MTU. Let us build a better rule set, using the main features of IPF: status check.
Pass in Quick On XL1 Proto TCP Keep State
Pass in Quick On XL1 Proto UDP Keep State
Pass in Quick On XL1 Proto ICMP Keep State
Block in Quick on XL0
In this case, 20.20.20.0 / 24 (perhaps the XL1 network will be better) can reach the external network, and the external network cannot enter 20.20.20.0/24, and even when the router is unsafe, the firewall can still work.
Now we are only filtered based on interfaces and protocols. We can also filter based on IP addresses. Usually we will provide some services, so our rule set will look like this:
Pass in Quick On XL1 Proto TCP Keep State
Pass in Quick On XL1 Proto UDP Keep State
Pass in Quick On XL1 Proto ICMP Keep State
Block in Quick On XL1 # nuh-uh, We're Only Passing TCP / UDP / ICMP SIR.
Pass in quick on xl0 proto udp from any to 20.20.20.2/32 port = 53 Keep State
Pass in quick on xl0 proto tcp from any to 20.20.20.2/32 port = 53 flags s Keep State
Pass in quick on xl0 proto tcp from any to 20.20.20.20.3/32 port = 25 flags s Keep State
Pass in quick on xl0 proto tcp from any to 20.20.20.20.7/32 port = 80 flags s keep stat
Block in Quick on XL0
Now we have such a network, 20.20.20.2 is a domain name server, 20.20.20.3 is a mail server, 20.20.20.7 is a web server.
We must admit that the IPFilter bridge is still very imperfect.
First, all the rules have only in the in-direction and there is no OUT direction. This is because OUT of the OpenBSD bridge has not been implemented. The original meaning of this design is not due to the use of multiple interfaces. Now performance issues have been improved, but OUT is still not implemented. If you need it, you can manually modify the code or seek help from other OpenBSD users.
Second, it is very unwise to use NAT in the IPF bridge. Because this will expose the existence of IPF bridges, and there is no IP address to be mapped. Of course, you can set the IP address to the interface so that NAT can work normally, but the advantages of the bridge will decrease.
9.2.1 Using transparent filtration repair network design error
Many organizations believe that a firewall to establish a subnet is a good idea. They have a network of Class C addresses and even greater address spaces, which contains all services, including their servers, workstations, and routers. This is very bad! Re-adjust the appropriate subnet, trust level, filter, etc. will pay a lot of human and financial resources. Expensive paying usually makes most institutions don't want to solve this problem, which does not include downtime. This problem looks like this: 20.20.20.1 Router 20.20.20.6 Unix Server
20.20.20.2 Unix Server 20.20.20.7 NT Workstation
20.20.20.3 UNIX Server 20.20.20.8 NT Server
20.20.20.4 WIN98 Workstation 20.20.20.9 Unix Workstation
20.20.20.5 Intelligent Switch 20.20.20.20.20 WIN95 Workstation
The actual situation may be much more complicated. Amazing practice is to return all trusted servers into a subnet, and other workstations are another subnet, and the remaining is the switch in the same subnet. Now the router can filter all the subnets and restrict the workstation access server. Now this C network looks more consistent.
First we separate the routers, workstations, and servers. In order to achieve this, we need two hubs (or switches), a three network card IPF machine. We connect all the servers on a hub, all workstations pick another hub, usually we will connect two hubs Get up, then pick it up to the router. Here we connect the router to the ipf XL0 interface, the server group is connected to the XL1, the workstation is connected to XL2, and our network map looks like this:
| 20.20.20.2 UNIX Server
ROUTER (20.20.20.1) _____ | 20.20.20.3 Unix Server
| / | 20.20.20.6 Unix Server
| / XL1 | 20.20.20.7 NT Server
----- / XL0 IPF Bridge <
XL2 | 20.20.20.4 Win98 Workstation
______ | 20.20.20.8 Nt Workstation
| 20.20.20.9 UNIX Workstation
| 20.20.20.10 Win95 Workstation
In order to fully utilize the advantages of the Filter Bridge, we have added some rules:
Pass in quick on xl0 proto udp from any to 20.20.20.2/32 port = 53 Keep State
Pass in quick on xl0 proto tcp from any to 20.20.20.2/32 port = 53 flags s Keep State
Pass in quick on xl0 proto tcp from any to 20.20.20.20.3/32 port = 25 flags s Keep State
Pass in quick on xl0 proto tcp from any to 20.20.20.20.7/32 port = 80 flags s keep stat
Block in Quick on XL0
Pass in Quick On XL1 Proto TCP Keep State
Pass in Quick On XL1 Proto UDP Keep State
Pass in Quick On XL1 Proto ICMP Keep State
Block in Quick On XL1 # nuh-uh, we're online tcp / udp / icmp sir.pass in Quick On XL2 Proto TCP Keep State
Pass in Quick On XL2 Proto UDP Keep State
Pass in Quick On XL2 Proto ICMP Keep State
Block in Quick On XL2 # Nuh-UH, We're Only Passing TCP / UDP / ICMP SIR.
Thus, the address of the router destination is that the data packet of the server will be limited, and the server can freely communicate with the workstation. If you don't want your workstation access server to make some changes:
Pass in Quick On XL2 Proto TCP Keep State
Pass in Quick On XL2 Proto UDP Keep State
Pass in Quick On XL2 Proto ICMP Keep State
Block in Quick On XL2 # Nuh-UH, We're Only Passing TCP / UDP / ICMP SIR.
Change to:
Block in Quick On XL2 from any to 20.20.20.0/24
Pass in Quick On XL2 Proto TCP Keep State
Pass in Quick On XL2 Proto UDP Keep State
Pass in Quick On XL2 Proto ICMP Keep State
Block in Quick On XL2 # Nuh-UH, We're Only Passing TCP / UDP / ICMP SIR.
Maybe you want the workstation to send and receive emails through the IMAP. This is also very simple:
Pass in Quick On XL2 Proto TCP from any to 20.20.20.3/32 port = 25
Pass in Quick On XL2 Proto TCP from any to 20.20.20.3/32 port = 143
Block in Quick On XL2 from any to 20.20.20.0/24
Pass in Quick On XL2 Proto TCP Keep State
Pass in Quick On XL2 Proto UDP Keep State
Pass in Quick On XL2 Proto ICMP Keep State
Block in Quick On XL2 # Nuh-UH, We're Only Passing TCP / UDP / ICMP SIR.
9.3 Drop-Safe Logging with dup-to and to.
As we introduced, we introduce how to prevent packets, now we have to do to block packets, but forward the packet to another system, this system is processed before the LOG packet. Our firewall systems can have many network cards, whether as a bridge or router, so we can create a Drop-Safe system, a typical example is to create an intrusion detection system. First we have to hide the intrusion detection system so that it is not detected.
Before starting, we need to pay attention to some operational features. If we just process the blocked packets, we can use the keyword to or fASTROUTE. (We will explain the difference between them) If we want to pass a packet, We must copy this packet.
9.3.1 The dup-to method
If we want to send a copy of each packet away from the XL3 interface to the DROP-SAFE network on ED0 We can use this rule:
Pass out on xl3 dup-to ed0 from any to any, you can also directly indicate an address sent to the Drop-Safe network, not just send a copy to that network. Slightly change the rules:
Pass Out on XL3 Dup-to ED0: 192.168.254.2 from any to any
It is worth noting that this method changes the destination address of the copy, and the log is also changing. For this reason, we recommend using our familiar address as the address of the log, according to this address corresponding to different logs (for example, you should not only use 192.168.254.2 to record the web server and mail server log), even if there is no system This address. Usually IPFilter uses ARP to find new destination addresses, but we can create static ARP records on the IPFilter system to avoid this problem.
9.3.2 The To Method
Dup-to has a clear disadvantage because it creates a copy for each packet, and will change the destination address, which requires some time to do this, and then can handle another packet. If we don't care through the packet, just prevent the passage of the packet, we can use the keyword to, let the packet through the routing table, and then send it to a different interface.
Block in Quick On XL0 to ED0 Proto Tcp from any to any port <1024
Just like Fastroute, if Block is converted to PASS, the system is likely to be chaotic.
10. Final rules to prevent camouflage
For various reasons, IANA retains some address spaces, and these addresses have not been used when this document is finalized. Because these address spaces have not been allocated, if these addresses appear in the source address or destination address.
Therefore, it is not necessary to consider it, this is a complete counterfeit address list:
#
# S / OUTSIDE / OUTSIDE-Interface (EG: FXP0)
# s / mynet / network-cidr-address (EG: 1.2.3.0/24)
#
Block in OUTSIDE ALL
Block in Quick On Outside from 0.0.0.0/7 to any
Block in Quick On Outside from 2.0.0.0/8 to any
Block in Quick On Outside from 5.0.0.0.0/8 to any
Block in Quick on Outside from 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0-
Block in Quick On Outside from 23.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1
Block in Quick On Outside from 27.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8?
Block in Quick On Outside from 31.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0-8?
Block in Quick On Outside from 67.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1
Block